Vulnerability in Xiaomi's pre-installed apps could affect more than 150 million devices

A vulnerability that could allow man-in-the-middle attacks and the injection of malicious code has been found in a pre-installed app on devices manufactured by Xiaomi, one of the biggest mobile vendors.

The flaw, uncovered by researchers at Check Point is -- somewhat ironically -- in the pre-installed security app, 'Guard Provider', which is meant to protect the phone from malware.

Due to the unsecured nature of the network traffic to and from the Guard Provider app and the use of multiple SDKs within the same app, a threat actor could connect to the same Wi-Fi network as the victim and carry out a man-in-the-middle attack to inject malicious code onto the device.

Check Point has responsibly disclosed this vulnerability to Xiaomi, which released a patch shortly afterwards. Xiaomi has around an eight percent share of the mobile market and the vulnerability could therefore affect more than 150 million customers.

The researchers point out that this highlights a risk with the use of SDKs. As more and more third party code is added to an app, protecting user data and controlling performance gets much more complicated. On average a single app now has over 18 SDKs implemented and a problem with one could compromise the others as they all share the app's context and permissions.

You can read more about the vulnerability on the Check Point blog. If you have a Xiaomi device you should make sure the software is updated.

Photo Credit: Profit_Image/Shutterstock